CN112688933A - Attack type analysis method, device, equipment and medium for IPv6 - Google Patents
Attack type analysis method, device, equipment and medium for IPv6 Download PDFInfo
- Publication number
- CN112688933A CN112688933A CN202011522457.0A CN202011522457A CN112688933A CN 112688933 A CN112688933 A CN 112688933A CN 202011522457 A CN202011522457 A CN 202011522457A CN 112688933 A CN112688933 A CN 112688933A
- Authority
- CN
- China
- Prior art keywords
- attack
- address
- module
- information
- ipv6
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 48
- 238000000034 method Methods 0.000 claims abstract description 22
- 238000012544 monitoring process Methods 0.000 claims abstract description 20
- 230000006399 behavior Effects 0.000 claims abstract description 9
- 238000012545 processing Methods 0.000 claims description 17
- 230000015654 memory Effects 0.000 claims description 11
- 238000005422 blasting Methods 0.000 claims description 3
- 230000035515 penetration Effects 0.000 claims description 3
- 230000004931 aggregating effect Effects 0.000 claims 2
- 230000007123 defense Effects 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 14
- 238000004590 computer program Methods 0.000 description 11
- 230000006870 function Effects 0.000 description 9
- 241000208713 Dionaea Species 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 238000001514 detection method Methods 0.000 description 4
- 108010001267 Protein Subunits Proteins 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000004806 packaging method and process Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000004088 simulation Methods 0.000 description 2
- 238000000638 solvent extraction Methods 0.000 description 2
- 239000000758 substrate Substances 0.000 description 2
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 235000012907 honey Nutrition 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present disclosure provides an attack type analysis method for IPv6, including: deploying a distributed honeypot system under an IPv6 network environment, and capturing attack behaviors to obtain attack information; deploying a NETFLOW monitoring system under the same IPv6 network environment, and acquiring data information generated by accessing an IPv6 network; and analyzing the attack information and the data information in a linkage manner, summarizing attack source IP address sections, and analyzing the differences of attacked types in different areas according to the attack source IP address sections. The disclosure also provides an attack type analysis device for IPv6, an electronic device and a readable storage medium. The method, the device, the equipment and the medium can accurately and efficiently analyze the difference of attack types in different regions, and greatly improve the defense capability of an IPv 6-based education network backbone network and the like.
Description
Technical Field
The present disclosure relates to the field of internet technologies, and in particular, to a method, an apparatus, a device, and a medium for analyzing an attack type of IPv 6.
Background
With the vigorous development of IPv6 network technology, various intrusion events and intrusion techniques are developed, which raises a series of security problems. In particular, with the introduction of security mechanisms in next generation networks, the security of the network layer is enhanced, and the application of security mechanisms also puts new requirements and challenges on the conventional intrusion detection systems. Honeypot systems are programs or machines or systems placed in a network to trick intruders. The idea is to fool an attacker by trying to make the honeypot look more like a normally used system. It is typically a virtual machine that emulates a real machine by emulating running services and open ports. These running services are intended to attract the attention of attackers so that they spend a lot of time and resources trying to get down the host. At the same time, the behavior of the attacker is already under surveillance and recorded by the honeypot system.
Honeypots are physically a single machine that may run multiple virtual operating systems, but cannot control outgoing connections because the packets are going directly into the network. In this case, a firewall must be used to limit outgoing packets. Therefore, how to deploy the honeypot system to realize the analysis of the attack types is particularly important.
Disclosure of Invention
In view of the above, the present disclosure provides an attack type analysis method, apparatus, device and medium for IPv 6.
One aspect of the present disclosure provides an attack type analysis method for IPv6, including: deploying a distributed honeypot system under an IPv6 network environment, and capturing attack behaviors to obtain attack information; deploying a NETFLOW monitoring system under the same IPv6 network environment, and acquiring data information generated by accessing an IPv6 network; and analyzing the attack information and the data information in a linkage manner, summarizing attack source IP address sections, and analyzing the differences of attacked types in different areas according to the attack source IP address sections.
According to an embodiment of the disclosure, the deploying of the distributed honeypot system under the IPv6 network environment comprises: distributing a special network segment for the distributed honeypot system by dividing the distributed honeypot system into routes; according to the attacked type of each area, proportionally distributing honeypots deployed in different areas; and configuring functional modules of the distributed honeypot system, wherein the functional modules comprise a log module, a processing module, a monitoring module and a working module, and the working module comprises: configuring a storage position, an event log level and a domain of a log through the log module; detecting, by the processing module, a vulnerability code and exporting a data stream; directly acquiring external connection data through a monitoring module; and configuring the working parameters of the working module through the working module.
According to the embodiment of the present disclosure, the analyzing the attack information and the data information in a linkage manner, and the summarizing the attack source IP address segment includes: acquiring a black IP address in the attack information; and performing correlation comparison on the IP address and/or the port information and/or the service information and/or the connection state information in the data information according to the black IP address, and summarizing the IP address into the attack source IP address field.
According to an embodiment of the present disclosure, the associating and comparing the IP address and/or the port information and/or the service information and/or the connection status information in the data information according to the black IP address, and summarizing the IP address into the attack source IP address segment includes: performing correlation contrast analysis on the data information according to the black IP address to generate a quintuple, wherein the quintuple comprises a client IP, a client port, a server IP and a service port JI protocol number; and taking the same quintuple as a primary key value, generating an IP address dictionary according to the quintuple, traversing the IP address dictionary and combining address segments to obtain an attack type corresponding to the attack source IP address segment.
According to the embodiment of the disclosure, the attacked types include password blasting attack, proxy server scanning, server side penetration attack and port scanning.
Another aspect of the present disclosure provides an attack type analysis apparatus for IPv6, including: the first deployment module is used for deploying a distributed honeypot system under an IPv6 network environment, and capturing attack behaviors to obtain attack information; the second deployment module is used for deploying a NETFLOW monitoring system under the same IPv6 network environment and acquiring data information generated by accessing an IPv6 network; and the analysis module is used for performing linkage analysis on the attack information and the data information, summarizing the attack source IP address field and analyzing the difference of the attacked types in different areas according to the attack source IP address field.
According to an embodiment of the present disclosure, a first deployment module includes: the division unit is used for dividing the distributed honeypot system into the distribution dedicated network segments through the route; the allocation unit is used for performing proportional allocation on honeypots deployed in different regions according to the attacked type of each region; the configuration unit is used for configuring functional modules of the distributed honeypot system, the functional modules comprise a log module, a processing module, a monitoring module and a working module, wherein: the log module is used for configuring the storage position, the event log level and the domain of the log; the processing module is used for detecting the bug codes and exporting the data stream; the monitoring module is used for directly acquiring external connection data; the working module is used for configuring working parameters of the working module.
According to an embodiment of the present disclosure, the analysis module includes: an obtaining unit, configured to obtain a black IP address in the attack information; and the comparison unit is used for carrying out correlation comparison on the IP address and/or the port information and/or the service information and/or the connection state information in the data information according to the black IP address and summarizing the IP address into the attack source IP address field.
Another aspect of the present disclosure provides an electronic device including: one or more processors; memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method as described above.
Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions for implementing the method as described above when executed.
Another aspect of the disclosure provides a computer program comprising computer executable instructions for implementing the method as described above when executed.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments of the present disclosure with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates a flow chart of an attack type analysis method for IPv6 according to an embodiment of the present disclosure;
FIG. 2 schematically illustrates a deployment diagram of a distributed honeypot system according to an embodiment of the present disclosure;
fig. 3 schematically shows a block diagram of an attack type analysis apparatus for IPv6 according to an embodiment of the present disclosure;
FIG. 4 schematically illustrates a block diagram of a first deployment module in accordance with an embodiment of the disclosure;
FIG. 5 schematically illustrates a block diagram of an analysis module according to an embodiment of the present disclosure;
fig. 6 schematically shows a block diagram of an electronic device adapted to implement the above described method according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
Fig. 1 schematically shows a flowchart of an attack type analysis method for IPv6 according to an embodiment of the present disclosure.
As shown in fig. 1, the method may include operations S101 to S103, for example.
In operation S101, a distributed honeypot system is deployed under the IPv6 network environment, and attack behavior is captured to obtain attack information.
According to the embodiment of the disclosure, through the distributed honeypot system, the attacker is induced to attack the distributed honeypot system, so that the honeypot captures and analyzes the attack behavior. Since the embodiment of the disclosure is honeypot deployment in an IPv6 network environment, honeypot Dionaea supporting IPv6 is used when selecting honeypots, and Dionaea is an application running on Linux. The application program is operated under the network environment, and the honey pot deployment can be realized by opening a default port of public service on the Internet.
Fig. 2 schematically illustrates a deployment diagram of a distributed honeypot system according to an embodiment of the present disclosure.
As shown in fig. 2, in the whole system, honeypots 101 and NETFLOW listening nodes 102 are deployed in a distributed manner in backbone link routers 103. The backbone link router 103 is in turn connected to a splitter device 104 and an analysis server 105.
The distributed honeypot system deployment method can comprise three parts: routing division, deployment proportion distribution and honeypot configuration.
In particular, routing partitioning may refer to allocating a dedicated network segment to a distributed honeypot system through routing partitioning, such that addresses received by all such network segments can be heard by honeypots. For example, in the IPv6 environment of 41 nodes of the backbone network, a large block address of/48 is divided, honeypots deployed under each node belong to the address segment through route division for collection
Deployment proportion allocation can refer to proportion allocation of honeypots deployed in different regions according to the attacked type of each region. Since each region is attacked by a different type, deploying the dominating type of honeypots requires a case-specific concrete analysis. As the attacked conditions of each region are different, each attacked type can be uniformly distributed at first, and then honeypot collection type adjustment is carried out according to the obtained attack. The attacked types may include, for example, a password blasting attack, a proxy server scan, a server side penetration attack, and a port scan (or back door scan).
Honeypot configuration can refer to the configuration of functional modules of a distributed honeypot system, wherein the functional modules include, for example, a log module, a processing module, a monitoring module and a working module, and the processing module is configured to:
the log module mainly configures the storage location, event log level and domain of the log. Which includes a normal log and an error log. By default it may be located in directory/opt/dionea/var/log, recording all events, warnings and error events, respectively.
The processing module detects the bug codes and derives the data stream. The processing module may be configured with libemu and streamdump, a module for deriving a data stream. The libemu part can increase or decrease the allowed protocols and configure the performance parameters such as the maximum flow size supported by the shell code detection, the number of tracking steps and the number of concurrent executions. The streamdump section configures the protocols to allow and deny when exporting a data stream and preserves the location of the data stream.
The monitoring module directly acquires external connection data. The monitoring module can be used for Dionaea to directly obtain external connection data and then return the data according to the realization of the simulation service; connection packets received from ports not supported by the emulated service are first logged and then discarded. The obtained external data can be submitted to a detection module for detection, and relevant information of connection, such as a source IP, a destination IP, a source port, a destination port, a protocol type and the like, is recorded in a database for analysis and statistics.
The working module configures working parameters of the working module. The working module is used for configuring working parameters of the Dionaea. Default configurations may be saved, for example, using a curl, libemu, pcap, or like simulation service.
In operation S102, a NETFLOW monitoring system is deployed under the same IPv6 network environment, and collects data information generated by accessing the IPv6 network.
According to an embodiment of the disclosure, a NETFLOW data acquisition environment is consistent with an acquisition environment of a distributed honeypot system. The distributed honeypot capture result can be obtained, and the data can be linked with the NETFLOW collected data through the processes of data preprocessing and the like.
In operation S103, linkage analysis is performed on the attack information and the data information, the attack source IP address segments are summarized, and differences between attacked types in different regions are analyzed according to the attack source IP address segments.
According to an embodiment of the present disclosure, the correlation comparison may include: and acquiring the black IP address in the attack information. And performing correlation comparison on the IP address and/or the port information and/or the service information and/or the connection state information in the data information according to the black IP address, and assembling the IP addresses into an attack source IP address segment. According to the embodiment of the disclosure, several fields such as protocol types, service types, ports and the like are selected for address field combination according to the corresponding relation of the fields.
Specifically, first, correlation comparison analysis is performed according to the black IP address data information to generate a five-tuple, where the five-tuple includes a client IP, a client port, a server IP, and a server port JI protocol number. At the same time, other information for each stream can also be obtained: request response judgment, tcp identification, traffic and timestamp information.
And secondly, generating an IP address dictionary according to the five-tuple by taking the same five-tuple as a primary key value. Wherein data streams having the same primary key are deposited into a list.
And finally, traversing the IP address dictionary and combining the address segments to obtain the attack type corresponding to the attack source IP address segment. Specifically, according to the address field summary generation rule, information is read from the IP address dictionary to generate a source IP address field dictionary, the source IP is used as a main key, the value is a new dictionary, the main key of the new dictionary is a source port used by the source IP, and the value is a list composed of information such as a destination IP and a timestamp of the destination port. And generating an attack type summary table corresponding to the source IP address field by combining the traversal of the dictionary and the address field.
According to the attack type analysis method for IPv6 provided by the embodiment of the disclosure, the distributed honeypot system is deployed under the IPv6 network environment, the data acquired by the honeypot and the NETFLOW data are analyzed in a linkage manner, and the IP address field of the attack source is collected, so that the difference of attack types in different regions can be accurately and efficiently analyzed, and the defense capability of an education network backbone network based on IPv6 and the like is greatly improved.
Based on the same inventive concept, the embodiment of the present disclosure provides an attack type analysis apparatus for IPv 6.
Fig. 3 schematically shows a block diagram of an attack type analysis apparatus for IPv6 according to an embodiment of the present disclosure.
As shown in fig. 3, the attack type analysis apparatus 500 for IPv6 may include, for example: a first deployment module 310, a second deployment module block 320, and an analysis module 330.
The first deployment module 310 is configured to deploy the distributed honeypot system under the IPv6 network environment, and capture the attack behavior to obtain attack information.
The second deployment module 320 is configured to deploy a NETFLOW monitoring system in the same IPv6 network environment, and collect data information generated by accessing the IPv6 network.
And the analysis module 330 is configured to perform linkage analysis on the attack information and the data information, summarize the attack source IP address segment, and analyze differences between attacked types in different regions according to the attack source IP address segment.
Fig. 4 schematically illustrates a block diagram of a first deployment module in accordance with an embodiment of the disclosure.
As shown in fig. 4, the first deployment module 310 includes:
and the dividing unit 311 is configured to divide the allocation into the distribution private network segments of the distributed honeypot system through routing.
And the allocation unit 312 is configured to allocate honeypots deployed in different regions in proportion according to the attacked type of each region.
The configuration unit 313 is configured to perform function module configuration on the distributed honeypot system, where the function module includes a log module, a processing module, a monitoring module, and a working module, where the log module is configured to configure a storage location, an event log level, and a domain of a log. The processing module is used for detecting the bug codes and exporting the data stream. The monitoring module is used for directly acquiring external connection data. The working module is used for configuring working parameters of the working module.
Fig. 5 schematically illustrates a block diagram of an analysis module according to an embodiment of the present disclosure.
As shown in fig. 5, the credit analysis module 330 may include:
the obtaining unit 331 is configured to obtain the black IP address in the attack information.
A comparing unit 332, configured to perform correlation comparison on the IP address and/or the port information and/or the service information and/or the connection state information in the data information according to the black IP address, and assemble the IP address into the attack source IP address segment.
Any number of modules, sub-modules, units, sub-units, or at least part of the functionality of any number thereof according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, and sub-units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging a circuit, or in any one of or a suitable combination of software, hardware, and firmware implementations. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the disclosure may be at least partially implemented as a computer program module, which when executed may perform the corresponding functions.
For example, any plurality of the first deployment module 310, the second deployment module 320, and the analysis module 330 may be combined and implemented in one module/unit/sub-unit, or any one of the modules/units/sub-units may be split into a plurality of modules/units/sub-units. Alternatively, at least part of the functionality of one or more of these modules/units/sub-units may be combined with at least part of the functionality of other modules/units/sub-units and implemented in one module/unit/sub-unit. According to an embodiment of the present disclosure, at least one of the first deployment module 310, the second deployment module 320, and the analysis module 330 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or in any one of three implementations of software, hardware, and firmware, or in any suitable combination of any of them. Alternatively, at least one of the first deployment module 310, the second deployment module 320 and the analysis module 330 may be at least partially implemented as a computer program module that, when executed, may perform a corresponding function.
It should be noted that, the attack type analysis device part for IPv6 in the embodiment of the present disclosure corresponds to the attack type analysis method part for IPv6 in the embodiment of the present disclosure, and the specific implementation details and the technical effects thereof are also the same, and are not described herein again.
Fig. 6 schematically shows a block diagram of an electronic device adapted to implement the above described method according to an embodiment of the present disclosure. The electronic device shown in fig. 6 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 6, an electronic device 600 according to an embodiment of the present disclosure includes a processor 601, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)602 or a program loaded from a storage section 608 into a Random Access Memory (RAM) 603. Processor 601 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 601 may also include onboard memory for caching purposes. Processor 601 may include a single processing unit or multiple processing units for performing different actions of a method flow according to embodiments of the disclosure.
In the RAM603, various programs and data necessary for the operation of the electronic apparatus 600 are stored. The processor 601, the ROM 602, and the RAM603 are connected to each other via a bus 604. The processor 601 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 602 and/or RAM 603. It is to be noted that the programs may also be stored in one or more memories other than the ROM 602 and RAM 603. The processor 601 may also perform various operations of the method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to embodiments of the present disclosure, method flows according to embodiments of the present disclosure may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 609, and/or installed from the removable medium 611. The computer program, when executed by the processor 601, performs the above-described functions defined in the system of the embodiments of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to an embodiment of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium. Examples may include, but are not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM 602 and/or RAM603 described above and/or one or more memories other than the ROM 602 and RAM 603.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.
Claims (10)
1. An attack type analysis method for IPv6, comprising:
deploying a distributed honeypot system under an IPv6 network environment, and capturing attack behaviors to obtain attack information;
deploying a NETFLOW monitoring system under the same IPv6 network environment, and acquiring data information generated by accessing an IPv6 network;
and analyzing the attack information and the data information in a linkage manner, summarizing attack source IP address sections, and analyzing the differences of attacked types in different areas according to the attack source IP address sections.
2. The attack type analysis method for IPv6 according to claim 1, wherein the deploying a distributed honeypot system under an IPv6 network environment includes:
distributing a special network segment for the distributed honeypot system by dividing the distributed honeypot system into routes;
according to the attacked type of each area, proportionally distributing honeypots deployed in different areas;
and configuring functional modules of the distributed honeypot system, wherein the functional modules comprise a log module, a processing module, a monitoring module and a working module, and the working module comprises:
configuring a storage position, an event log level and a domain of a log through the log module;
detecting, by the processing module, a vulnerability code and exporting a data stream;
directly acquiring external connection data through a monitoring module;
and configuring the working parameters of the working module through the working module.
3. The attack type analysis method for IPv6 according to claim 1, wherein the linkage analysis of the attack information and the data information, and the aggregating of the attack source IP address segment includes:
acquiring a black IP address in the attack information;
and performing correlation comparison on the IP address and/or the port information and/or the service information and/or the connection state information in the data information according to the black IP address, and summarizing the IP address into the attack source IP address field.
4. The attack type analysis method for IPv6 according to claim 3, wherein the associating and comparing the IP addresses and/or port information and/or service information and/or connection status information in the data information according to the black IP address, and the aggregating the IP addresses into the attack source IP address segment includes:
performing correlation contrast analysis on the data information according to the black IP address to generate a quintuple, wherein the quintuple comprises a client IP, a client port, a server IP and a service port JI protocol number;
using the same five-tuple as a primary key value, generating an IP address dictionary according to the five-tuple,
and traversing and address segment merging are carried out on the IP address dictionary to obtain an attack type corresponding to the attack source IP address segment.
5. The attack type analysis method for IPv6 according to claim 2, wherein the attacked types include a password blasting attack, a proxy server scan, a server side penetration attack, and a port scan.
6. An attack type analysis apparatus for IPv6, comprising:
the first deployment module is used for deploying a distributed honeypot system under an IPv6 network environment, and capturing attack behaviors to obtain attack information;
the second deployment module is used for deploying a NETFLOW monitoring system under the same IPv6 network environment and acquiring data information generated by accessing an IPv6 network;
and the analysis module is used for performing linkage analysis on the attack information and the data information, summarizing the attack source IP address field and analyzing the difference of the attacked types in different areas according to the attack source IP address field.
7. The attack type analysis apparatus for IPv6 according to claim 6, wherein the first deployment module includes:
the division unit is used for dividing the distributed honeypot system into the distribution dedicated network segments through the route;
the allocation unit is used for performing proportional allocation on honeypots deployed in different regions according to the attacked type of each region;
the configuration unit is used for configuring functional modules of the distributed honeypot system, the functional modules comprise a log module, a processing module, a monitoring module and a working module, wherein:
the log module is used for configuring the storage position, the event log level and the domain of the log;
the processing module is used for detecting the bug codes and exporting the data stream;
the monitoring module is used for directly acquiring external connection data;
the working module is used for configuring working parameters of the working module.
8. The attack type analysis apparatus for IPv6 according to claim 6, wherein the analysis module includes:
an obtaining unit, configured to obtain a black IP address in the attack information;
and the comparison unit is used for carrying out correlation comparison on the IP address and/or the port information and/or the service information and/or the connection state information in the data information according to the black IP address and summarizing the IP address into the attack source IP address field.
9. An electronic device, comprising:
one or more processors;
a memory for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of any of claims 1-5.
10. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to carry out the method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011522457.0A CN112688933A (en) | 2020-12-21 | 2020-12-21 | Attack type analysis method, device, equipment and medium for IPv6 |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011522457.0A CN112688933A (en) | 2020-12-21 | 2020-12-21 | Attack type analysis method, device, equipment and medium for IPv6 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112688933A true CN112688933A (en) | 2021-04-20 |
Family
ID=75450092
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011522457.0A Pending CN112688933A (en) | 2020-12-21 | 2020-12-21 | Attack type analysis method, device, equipment and medium for IPv6 |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112688933A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114285663A (en) * | 2021-12-28 | 2022-04-05 | 赛尔网络有限公司 | Method, device, equipment and medium for managing attack source address |
| CN114491533A (en) * | 2022-01-24 | 2022-05-13 | 烽台科技(北京)有限公司 | Data processing method, device, server and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3343869A1 (en) * | 2016-12-28 | 2018-07-04 | Deutsche Telekom AG | A method for modeling attack patterns in honeypots |
| CN111885020A (en) * | 2020-07-08 | 2020-11-03 | 福建奇点时空数字科技有限公司 | Network attack behavior real-time capturing and monitoring system with distributed architecture |
-
2020
- 2020-12-21 CN CN202011522457.0A patent/CN112688933A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3343869A1 (en) * | 2016-12-28 | 2018-07-04 | Deutsche Telekom AG | A method for modeling attack patterns in honeypots |
| CN111885020A (en) * | 2020-07-08 | 2020-11-03 | 福建奇点时空数字科技有限公司 | Network attack behavior real-time capturing and monitoring system with distributed architecture |
Non-Patent Citations (1)
| Title |
|---|
| 徐娜等: "大规模分布式蜜网技术研究与应用", 《信息网络安全》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114285663A (en) * | 2021-12-28 | 2022-04-05 | 赛尔网络有限公司 | Method, device, equipment and medium for managing attack source address |
| CN114491533A (en) * | 2022-01-24 | 2022-05-13 | 烽台科技(北京)有限公司 | Data processing method, device, server and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Baykara et al. | A novel honeypot based security approach for real-time intrusion detection and prevention systems | |
| Akhunzada et al. | Secure and dependable software defined networks | |
| CN112187825B (en) | Honeypot defense method, system, equipment and medium based on mimicry defense | |
| US9762599B2 (en) | Multi-node affinity-based examination for computer network security remediation | |
| Alsmadi et al. | Security of software defined networks: A survey | |
| US9686296B1 (en) | Systems and methods for providing network security monitoring | |
| Roschke et al. | Intrusion detection in the cloud | |
| US10826933B1 (en) | Technique for verifying exploit/malware at malware detection appliance through correlation with endpoints | |
| US20150326587A1 (en) | Distributed system for bot detection | |
| WO2017139489A1 (en) | Automated honeypot provisioning system | |
| Krishnan et al. | OpenStackDP: a scalable network security framework for SDN-based OpenStack cloud infrastructure | |
| EP3862879B1 (en) | Container network interface monitoring | |
| US20230208871A1 (en) | Systems and methods for vulnerability assessment for cloud assets using imaging methods | |
| Li et al. | Evaluation of security vulnerabilities by using ProtoGENI as a launchpad | |
| Chovancová et al. | Securing distributed computer systems using an advanced sophisticated hybrid honeypot technology | |
| KR20110068308A (en) | System and method for network attack detection and analysis | |
| CN112688933A (en) | Attack type analysis method, device, equipment and medium for IPv6 | |
| Liyanage et al. | Software defined security monitoring in 5G networks | |
| Tabiban et al. | ProvTalk: Towards Interpretable Multi-level Provenance Analysis in Networking Functions Virtualization (NFV). | |
| Rao et al. | SEDoS-7: a proactive mitigation approach against EDoS attacks in cloud computing | |
| Demırcı et al. | Virtual security functions and their placement in software defined networks: A survey | |
| WO2017217247A1 (en) | Malignant event detection apparatus, malignant event detection method, and malignant event detection program | |
| Tudosi et al. | Design and implementation of a distributed firewall management system for improved security | |
| Combe et al. | An sdn and nfv use case: Ndn implementation and security monitoring | |
| Leal et al. | Improving early attack detection in networks with sFlow and SDN |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210420 |